Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

On Sun, Feb 22, 2015 at 01:49:16AM +0100, Florian Schlichting wrote: On Fri, Feb 20, 2015 at 10:50:20PM +0100, Kurt Roeckx wrote: On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote: | RC4 3880.5871 | RC4 Only 3712 0.7918

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

With TLS it should be no problem to have those weak ciphers in the list I dont agree with this.. Due to weak crypters avaible and programs ( for example postfix ) offering them over TLS also cause problems. Google for : postfix SSL_accept error from for example.. This is mainly due

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

On Fri, Feb 20, 2015 at 10:50:20PM +0100, Kurt Roeckx wrote: On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote: | RC4 3880.5871 | RC4 Only 3712 0.7918 | RC4 Preferred 64613 13.7832 | RC4 forced in

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote: On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote: What servers, and what clients are we talking about here? You might want to look at those stats:

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote: On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote: On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote: What servers, and what clients are we talking about here? You might want to look at

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Hi Kurt, To protect our users and comply with adopted Internet standards, openssl in Debian should no longer include RC4 ciphers in the DEFAULT list of ciphers, neither in Jessie nor supported stable / oldstable releases. I fully support that RFC. However I don't think it's a good idea

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote: Hi Kurt, To protect our users and comply with adopted Internet standards, openssl in Debian should no longer include RC4 ciphers in the DEFAULT list of ciphers, neither in Jessie nor supported stable / oldstable

Bug#778747: [Pkg-openssl-devel] Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

On Thu, Feb 19, 2015 at 10:38:14AM +0100, Florian Schlichting wrote: Package: openssl Version: 1.0.1e-2+deb7u14 Severity: serious Tags: security Newly released RFC 7465 [0] describes RC4 as being on the verge of becoming practically exploitable and consequently mandates that both servers